Help: Safely share Jellyfin on Windows over internet

I’m running a truenas box and a seperate windows machine that only runs jellyfin. I’ve been googling how to share access to my personal home videos in a secure way. I heard Wendell wants to make a guide for this but I think he wants to do more than is humanly possible and it’s probably gonna be a more practical Linux implementation that I absolutely would need a guide to even attempt to follow :laughing:

I need help with opening up my jellyfin windows server to friends and family, but nobody else. From what I read there is high risk involved with opening up to remote connections and so it should be avoided if possible.

I’m also unsure what path to go with as I’ve seen people describe using anything from ipsec tunnels to setting up websites as an interface to connect through so there are many solutions. What I need is basically to be able to give only the ones I want access and be inaccessible otherwise :melting_face:

Couple clarification questions:

Are you looking to have people directly connect to your jellyfin server, or do you want the server to be a “second hop” where you have a more hardened server acting as a frontend that handles the connections?

Do you want this on the open internet, locked down by web-authentication, or do you want people to VPN in?

How tech-savvy are your friends and family? Use the lowest common denominator.

2 Likes

I’m running a IPsec VPN to my parents but it doesn’t perform very well with 4k HDR videos of my cats and dogs so I did manage to make jellyfin think it’s a remote connection by whitelisting their network/subnet so it transcoded more instead of just streaming at very high bitrate

I run everything through Traefik myself and then have my domain name and traffic through Cloudflare. I use their WAF to block every IP address that hits the domain unless it matches the IP address I have in the rule. It does require knowing the public IP address, but there are ways to automate the process if needed!

Thank you! I’ll look into this approach when I get home from work around Christmas

1 Like

Step one, install a firewall, I recommend Comodo firewall.
Step two update Windows.
Step three firewall on the router + nat.
Step four determine the IP addresses of people who are allowed to connect.
Step five set firewall access rules for these IPs.
Step six forward the correct port on the router to the server.

Many will say revproxy, vpn, tailscale and many others… But this does not increase access security at all.
The traffic itself, if it is only https, will be encrypted and this should be enough in the context of protecting the data stream.

The problem is the security of accessing and exposing the service to the world.
Therefore, you should never provide a service to the entire Internet if this is not your goal.
Control at the per-IP level is quite clumsy, but it will initially filter out everything that does not belong to a trusted group of people. Of course, provided that they have their own permanent IP.

1 Like